HMRC plan to share taxpayers' data attacked

A proposal by HMRC to release millions of taxpayers' personal data to private firms has whipped up a storm on data privacy.

HMRC plan to share taxpayers' data attacked

The idea was described as ‘borderline insane' by senior Tory MP David Davis, according toThe Guardian which reported the plan on Good Friday.

The scheme, part of draft legislation being drawn up by The Treasury, would allow HMRC (Her Majesty's Revenue & Customs) to release or even sell “anonymised” personal data to third parties including companies, researchers and public bodies where there is a public benefit.

However, this has caused something of a privacy storm, and especially on the possibility that anonymised data could be “re-identified”. These concerns come some two months after the UK government decided to delay its £50 million care.data scheme, which aims to share electronic patient records from every GP in England, after confidential data was published online and sold to third-parties.

Data privacy expert Stewart Room, a partner at law firm Field Fisher Waterhouse, believes HMRC has failed to deal with the technical concerns over “anonymised” data and is also suffering from a lack of public trust post-Snowden.

He told SCMagazineUK.com: “There's quite a bit of moral panic now around data sharing from government to other parts of the economy, so the Government ought to be thinking a little bit harder about these initiatives and how they're made public, who's consulted with and what the concerns are.

“As a matter of law, the anonymisation of personal data about taxpayers removes data protection concerns around sharing. But there is a different issue here, which is the reality of anonymisation - it's not good enough for a data controller to assert we have anonymised because technical users will know anonymisation is not always successful.

“What the Government will be asserting is ‘trust me'. Well, in light of Snowden and all that sort of stuff, you can't really assert ‘trust me' any more. People want a bit more assurance or a bit more evidence that this stuff is really anonymised.”

His views about lack of trust in the Government and the security of anonymised data were echoed by privacy campaign group Big Brother Watch.

Its deputy director, Emma Carr, told SCMagazineUK.com via email: "The ongoing claims about anonymous data overlook the serious risks to privacy of individual level data being vulnerable to re-identification. Given the huge uproar about similar plans for medical records, you would have hoped HMRC would have learned that trying to sneak plans like this under the radar is not the way to build trust or develop good policy.

"Given those who abuse personal information cannot be sent to jail, this is yet another instance where Government should be putting proper protections in place before any more data is shared, rather than just hoping nothing goes wrong.”

A spokesman for HMRC pointed out that the “potential to share HMRC data for public benefit” was first consulted on last summer and appeared in the Chancellor's last Autumn Statement.

He also downplayed the sensitivity of the data at stake, telling SCMagazineUK.com via email that examples include “employment information for people who've been in certain government programmes being used to assess whether the programmes have helped to get them into work” and “information on housing characteristics which could be used to explore how they link to excess winter mortality rates”.

He added: “Any draft legislation would be subject to further consultation and then parliamentary scrutiny.”

An HMRC statement insisted: "No final decisions have been taken, but HMRC remains committed to safeguarding taxpayer confidentiality. HMRC would only share data where this would generate clear public benefits, and where there are robust safeguards in place.

"Last year's consultation made it very clear that there would be a rigorous accreditation process for anyone wanting access to the data and that any access would take place in a secure environment.”

On the subject of selling the data, HMRC said: “HMRC will be consulting further and will ask for views on whether to charge to cover the costs of processing and providing anonymised data. This would not be charging for the data itself, purely covering the costs of providing it."

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.